c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
Size

335KB
MD5

7b38d3f8dd025a9f713f44db5968ab17
SHA1

594dfc74d743412d598ae1b87922c96aacce582b
SHA256

c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60
SHA512

067abd3eb8fc4c85f53003e0e898b85d9b4eebadeb26caef299e4110d3bce19247b73a4f955e142a09961ff4c87c41b1596a3755d1e226d91ff651cdb5ea0c6c
SSDEEP

6144:/H39QEhvsfBm9LA8CwumYTyBR/APygP9cnPRpjbeVPDGsIFbrMqu:v9dSSA8CwumYTyBJAPyglgq1farMqu

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">Oc/T5sDyMDfy6PxVglFHPc7G8RRZZ/1X+q3PffSfB748nZChTHkn12LqiYlInnwnKvUq4Nizi14vHoewDA1LF6lLWjgQqPQIu15K6zM29uadg/i+U4QFfA2wfcEphoh92OvN33sztzvShapa9QBWDIIKB1kJ5rG9x51Lt4ZGUt8VkAFhOi+fghmwgeoqu/PamPO44dPbN8HxUHOA96inDyQQwZ16ZAbEx4xZ7DVQNjSRetd3xHfHcqObszdFPFkmXF8HuetiCJVbLkW4t4h6ynrR1wTtnmHby/ipXjdJDRnA7FuwTcol05tFEdg47nLpU3+bHGr9daUUDzpulXkNkFg/NBqbaKJuzD1FxUBy9w9ENYHmhas8gr3RGiD2k+DcT/FAJ4QGKZC/WQ9uwwTYjB0LHEBmNiB/MFAV+QHnmnNeNt3khuQL0Lye1ktC4KFzH1OUytz6V7+sCjfltabtW7fhMEltmeqpHhu/ls2nqQuD8dchin6hquKECaYFFWBA/0tdG+5wbrkqwBP7FqlGhS01Uxo+AQ2nHlhb0KY1THRRf4izQjENe9grFmS4kI9iMkQdRv2/oWrxfxy86WH3BV90kw0PhCbXvwwZAUUzcgavlQDm3nWni8VSHxj7dYo1XmU/imQd3rwESciPSaKMfLm+iLHYcNEi1YOKXbChhu4RhPXYCQO883TXetBaTi9wR+oI8435BWRNZiDSGcXw6ZNTJchUhYLYxZUE9RpcMXBJd0Nb1V3uFaNyw+fEdvkVZkCn4lJWU1GUCTNTICDSQAaNLsiKytNko7rpxP4i5AXPaaWBc4CYvb0qM8Okj9Cyq9T7CMfegh7RMIFgaZlanHOWYKtdoMxcW5b0k5Hmsp802DIooMkwbTOIOLHTSRIKuLJy4xGKKTbJ3BxbFboonRkV7VoqMyYrV1s4R89+hFlaR3t7CADV+ASjSi76a/G8MPc4B1CZSRxPquXf5++m224g0DhP6NDvrdrcstKTndPrR9KoNrrOF7dNAm/JKhLH5Wbjn+pGDZS76rAaxSyB+GcfR+E9jpFIrLn7zXkYFIjtW7FBDumZCvkCj+Klf3AoGeDuaAUJgRBu8zbrD7P4CW2ohgL6Sr3dxXmmffQol3/Hp/l32dUTAMd4P7wAch6HrehW3+0yZzjiXcY3A1E10ML7eguQTJqNPa4WTQAuQwLuXnkMmdZZ9v6J9obU9tcIoZ9H6Bk1n9qvTTvEDCyy7eGQDypHS2SM3kTbbPsBJJ2FItkASeN4Dz4JCY32ExZzuVQ1vzwJQp1geO3z/TnmCjweSBgVB5lrPM9PQ0uTit0BWUb2xZVbrUhJLkjmTVq2Cdsj3s0AoPjYV9evFc5z7WYXej4g8Q4QAIeWHDJtb5tbnRAwB+xrT3GSZbOmGBGXw5zq28LBxK3BQDe7cOKomwZlmGLYsRM4rxG/O3NCLpkpXnzK0izt6T3J4/lBvBU7c+0P3eMu14DYGQe0DIZvDMvoPOXTnO9sCb4O5JQltE7rOWPOw5LRFettreTHMZvV3xfQWpxSZfCRkbocji900zY2vlu/nD2oLdldX9aRHE8BRWBT9yB38AqT0hUmuJbuJpQbdsS9qPVo16mlc8Jswz1VM1Ll0kqk5UhKbBZdKQKtEPNrBm4LUnGo+IZCida+wZqcOk6fFrA0zXpEGnz9J9fvFJwuZwJNdcqSYUUpNGI=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe

description pid process target process

PID 2924 created 1068 2924 c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1648 bcdedit.exe
2628 bcdedit.exe
Renames multiple (7586) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2356 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2576 wbadmin.exe

description	pid	process	target process
PID 2924 created 1068	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	Explorer.EXE

pid	process
1648	bcdedit.exe
2628	bcdedit.exe

pid	process
2356	wbadmin.exe

pid	process
2576	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exec1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe\""	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe\""	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.execipher.execipher.exe

description	ioc	process
File opened (read-only)	\??\S:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\K:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\V:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\A:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\I:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\N:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\O:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\T:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\X:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\F:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\B:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\E:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\L:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\R:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\U:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\W:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\M:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\Y:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\Z:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\G:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\J:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\Q:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\H:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened (read-only)	\??\P:	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe

Drops file in Program Files directory 64 IoCs

Processes:

c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\SpiderSolitaire.exe.mui	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285796.WMF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\RTF_BOLD.GIF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieMergeLetter.dotx	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\setup_wm.exe.mui	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\St_Johns	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\How_to_back_files.html	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\How_to_back_files.html	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR37F.GIF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.XML	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\PREVIEW.GIF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\How_to_back_files.html	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\UrbanFax.Dotx	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\EmptyDatabase.zip	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\How_to_back_files.html	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\How_to_back_files.html	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\attention.gif	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\AFTRNOON.INF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01242_.WMF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090089.WMF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\How_to_back_files.html	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106124.WMF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00298_.WMF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMSS.ICO	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\jvm.cfg	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\flyout.css	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152878.WMF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Customer Support.fdt	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Moncton	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\How_to_back_files.html	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\How_to_back_files.html	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00068_.WMF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215070.WMF	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\How_to_back_files.html	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2948 2924 WerFault.exe c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1460 vssadmin.exe

pid	pid_target	process	target process
2948	2924	WerFault.exe	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe

pid	process
1460	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2116	taskkill.exe
2412	taskkill.exe
1744	taskkill.exe
2020	taskkill.exe
2132	taskkill.exe
2388	taskkill.exe
3056	taskkill.exe
1276	taskkill.exe
768	taskkill.exe
952	taskkill.exe
2288	taskkill.exe
2728	taskkill.exe
1880	taskkill.exe
2108	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe

pid	process
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2936	WMIC.exe
Token: SeSecurityPrivilege	2936	WMIC.exe
Token: SeTakeOwnershipPrivilege	2936	WMIC.exe
Token: SeLoadDriverPrivilege	2936	WMIC.exe
Token: SeSystemProfilePrivilege	2936	WMIC.exe
Token: SeSystemtimePrivilege	2936	WMIC.exe
Token: SeProfSingleProcessPrivilege	2936	WMIC.exe
Token: SeIncBasePriorityPrivilege	2936	WMIC.exe
Token: SeCreatePagefilePrivilege	2936	WMIC.exe
Token: SeBackupPrivilege	2936	WMIC.exe
Token: SeRestorePrivilege	2936	WMIC.exe
Token: SeShutdownPrivilege	2936	WMIC.exe
Token: SeDebugPrivilege	2936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2936	WMIC.exe
Token: SeRemoteShutdownPrivilege	2936	WMIC.exe
Token: SeUndockPrivilege	2936	WMIC.exe
Token: SeManageVolumePrivilege	2936	WMIC.exe
Token: 33	2936	WMIC.exe
Token: 34	2936	WMIC.exe
Token: 35	2936	WMIC.exe
Token: SeBackupPrivilege	2092	vssvc.exe
Token: SeRestorePrivilege	2092	vssvc.exe
Token: SeAuditPrivilege	2092	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2924 wrote to memory of 2492	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2492	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2492	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2492	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2492 wrote to memory of 2652	2492	cmd.exe	cmd.exe
PID 2492 wrote to memory of 2652	2492	cmd.exe	cmd.exe
PID 2492 wrote to memory of 2652	2492	cmd.exe	cmd.exe
PID 2492 wrote to memory of 2652	2492	cmd.exe	cmd.exe
PID 2924 wrote to memory of 2576	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2576	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2576	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2576	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2576 wrote to memory of 2508	2576	cmd.exe	cmd.exe
PID 2576 wrote to memory of 2508	2576	cmd.exe	cmd.exe
PID 2576 wrote to memory of 2508	2576	cmd.exe	cmd.exe
PID 2576 wrote to memory of 2508	2576	cmd.exe	cmd.exe
PID 2508 wrote to memory of 2388	2508	cmd.exe	taskkill.exe
PID 2508 wrote to memory of 2388	2508	cmd.exe	taskkill.exe
PID 2508 wrote to memory of 2388	2508	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 2420	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2420	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2420	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2420	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2420 wrote to memory of 2556	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 2556	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 2556	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 2556	2420	cmd.exe	cmd.exe
PID 2556 wrote to memory of 2288	2556	cmd.exe	taskkill.exe
PID 2556 wrote to memory of 2288	2556	cmd.exe	taskkill.exe
PID 2556 wrote to memory of 2288	2556	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 2496	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2496	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2496	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 2496	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2496 wrote to memory of 2396	2496	cmd.exe	cmd.exe
PID 2496 wrote to memory of 2396	2496	cmd.exe	cmd.exe
PID 2496 wrote to memory of 2396	2496	cmd.exe	cmd.exe
PID 2496 wrote to memory of 2396	2496	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2412	2396	cmd.exe	taskkill.exe
PID 2396 wrote to memory of 2412	2396	cmd.exe	taskkill.exe
PID 2396 wrote to memory of 2412	2396	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 1876	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 1876	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 1876	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 1876	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 1876 wrote to memory of 2832	1876	cmd.exe	cmd.exe
PID 1876 wrote to memory of 2832	1876	cmd.exe	cmd.exe
PID 1876 wrote to memory of 2832	1876	cmd.exe	cmd.exe
PID 1876 wrote to memory of 2832	1876	cmd.exe	cmd.exe
PID 2832 wrote to memory of 3056	2832	cmd.exe	taskkill.exe
PID 2832 wrote to memory of 3056	2832	cmd.exe	taskkill.exe
PID 2832 wrote to memory of 3056	2832	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 1452	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 1452	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 1452	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 2924 wrote to memory of 1452	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe
PID 1452 wrote to memory of 1256	1452	cmd.exe	cmd.exe
PID 1452 wrote to memory of 1256	1452	cmd.exe	cmd.exe
PID 1452 wrote to memory of 1256	1452	cmd.exe	cmd.exe
PID 1452 wrote to memory of 1256	1452	cmd.exe	cmd.exe
PID 1256 wrote to memory of 1276	1256	cmd.exe	taskkill.exe
PID 1256 wrote to memory of 1276	1256	cmd.exe	taskkill.exe
PID 1256 wrote to memory of 1276	1256	cmd.exe	taskkill.exe
PID 2924 wrote to memory of 2044	2924	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exec1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
"C:\Users\Admin\AppData\Local\Temp\c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2924
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlbrowser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2388
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sql writer.exe
      4⤵
      Kills process with taskkill
      PID:2288
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlserv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2412
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im msmdsrv.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3056
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
  2⤵
  PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:796
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlceip.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1744
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
  2⤵
  PID:2312
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:1420
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im fdlauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2116
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
  2⤵
  PID:356
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:1456
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im Ssms.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:768
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
  2⤵
  PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:2028
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im SQLAGENT.EXE
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2020
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
  2⤵
  PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2480
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im fdhost.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2728
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
  2⤵
  PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:584
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im ReportingServicesService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2132
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
  2⤵
  PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:1896
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im msftesql.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1880
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
  2⤵
  PID:1564
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:1664
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im pg_ctl.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
  2⤵
  PID:1196
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:1476
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -impostgres.exe
      4⤵
      Kills process with taskkill
      PID:952
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
  2⤵
  PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:448
  - - C:\Windows\system32\net.exe
      net stop MSSQLServerADHelper100
      4⤵
      PID:1192
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        5⤵
        
        PID:3060
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
  2⤵
  PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2360
  - - C:\Windows\system32\net.exe
      net stop MSSQL$ISARS
      4⤵
      PID:2472
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        5⤵
        
        PID:2328
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
  2⤵
  PID:888
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1688
  - - C:\Windows\system32\net.exe
      net stop MSSQL$MSFW
      4⤵
      PID:1944
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        5⤵
        
        PID:376
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
  2⤵
  PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1676
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$ISARS
      4⤵
      PID:2084
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        5⤵
        
        PID:1620
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
  2⤵
  PID:1004
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:912
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$MSFW
      4⤵
      PID:940
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        5⤵
        
        PID:2984
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1064
  - - C:\Windows\system32\net.exe
      net stop SQLBrowser
      4⤵
      PID:2072
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        5⤵
        
        PID:1692
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
  2⤵
  PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:2812
  - - C:\Windows\system32\net.exe
      net stop REportServer$ISARS
      4⤵
      PID:2856
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        5⤵
        
        PID:1316
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
  2⤵
  PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:1572
  - - C:\Windows\system32\net.exe
      net stop SQLWriter
      4⤵
      PID:2976
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        5⤵
        
        PID:328
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2584
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1460
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:1568
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      Deletes system backups
      Drops file in Windows directory
      PID:2576
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2744
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      PID:2356
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2184
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:2536
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
  2⤵
  PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2948
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoverynabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1648
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:320
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2508
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2628
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:2388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic.exe SHADOWCOPY /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2936
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\A:
  2⤵
  - Enumerates connected drives
  PID:344
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\C:
  2⤵
  PID:2880
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\F:
  2⤵
  - Enumerates connected drives
  PID:1200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 788
  2⤵
  - Program crash
  PID:2948

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1068
- C:\Users\Admin\AppData\Local\Temp\c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1720

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\How_to_back_files.html

Filesize
5KB

MD5
40e139987a37aab7d96cac47567e546a

SHA1
d30784a4149cb0800a00b8c53bf86b3de534beae

SHA256
ca92eb4174acb6632602c0e2682a5dfcff5eaa7db59b5453b029a0b6adf7e1f8

SHA512
77508d896e7c8a7dccdcf5bc0593a941b8468fea5364de8c1a0773d63e270360a5a58f61a5f6eecbb1416c7ce84f336c08219b948aaf2c8e1cf60ceb6e4eea04

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK

Filesize
1KB

MD5
a4a46155481bef74fca324c1cd0c02ab

SHA1
5896dcc6a53f8797ea730d8251cd26308832ed92

SHA256
f57e948b4a19f5736eae81a6a8ae8213df5aab89dd9dce65237ffa0c8c35a836

SHA512
efda36a3db7d764595a2b396da13525f9da75a1d4e4ce27117af484e2162852e25378e42762e413963ea1008756890ae5322b657ae2135a8718bd9e8d5e327da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
b9c74c2e93e1299ccd0d5e0dedd5fcf2

SHA1
b86e49de42dcfa1ffb2e65a6f65e1df5c12cf401

SHA256
cb8fb1b6f1879398b46a2f17723cc680243fa2307a3d37ec38d1740f855f00ad

SHA512
1705e3196f9fc03db862901d849a713c67ef3f0d42ff72e9fba6cfd6a81d4df4879e8e4091af16ec8009377cf7cc816638f22ceb6e80a112e06a56d4ab50904a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF

Filesize
1KB

MD5
a3052dd2c9609f11e297ca7e5c3e69dd

SHA1
54bdea997abafd2d5264928203deec694264e371

SHA256
fe59410e2541ced881b9a3d5e54b989f94ce4b9345865b169e79eb4106ad9a0c

SHA512
996d16bd2e77de925e1134b435dca5ef8dc5c282fe3885cc1c372ac3714c896930eab50c9ad04bd617a6a87ba2b9457e7f5869e4c0157cb81fded74394b46c6d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
b741872a8625a4a8d1129a027dbb9ad0

SHA1
50a52710b45c3b6dd67035bdb9ed5343694b1e1c

SHA256
5e35af864c4966f96e4b56037103e492db0a2182f0cfa42526f64b378636a555

SHA512
6623711855ff0ae30ab70e11b4b12c526f045960bbcedf70098837db4153c4656a4fa2c920845b21eba82ede2491b0d7dbda0bde9136b91770a5dcf75c18cb23

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_F_COL.HXK

Filesize
1KB

MD5
cbaa7f790ecab48b7a0d47696e6f192a

SHA1
8609e8bbe2d5d1912c9b8a4e42c671d8ac70c9dc

SHA256
f453b180370f83973552b4b9d9bafbd67e2c71092e8b097fd96f333f3ce030e4

SHA512
98ebf7669fecef145d18ec44da005e6c62d9a44a44020a7c50c97bf40ea72db7880ccba241d4b10de1999495d821f13238c8c32218f5cd0843d35a1d31f23785

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_K_COL.HXK

Filesize
1KB

MD5
b49c479565686925369206697cda1a91

SHA1
74b4074ee9ee80c7497eda904ac08be5b6a31193

SHA256
adaf582728f5f53e6217243678b68f9a87457a8581b52d83834d639a6c94ac90

SHA512
d4e6ecfe02b7a0bb38d9b219dd81fddf46047e2773d6b6b89b4b7f5908b88bdfc71254b4d4593141769ca50435cf1f7381261fd265cdca3f63a3b0476a9f7114

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL

Filesize
258KB

MD5
4803cd64014065a105a824ec94d04055

SHA1
3429ee7e228c0e7aa0d50d2fe92671ebf49d6bce

SHA256
ec7b78859742dc6461b9bb1571d0b0f3ad0d779491e7cae289622e5067553104

SHA512
ce149b5da50fe8a792dbd193d804f717f99a43e69bc0357531bb5dd781c71b790efdb6ea52169c2d3eabbb9b1b939a597cae110b9da68a7a887ed659a4bbd46e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
565eaae039ba117584748bfde5a4eeb3

SHA1
7406b8e8c3459b143c23d0a7f8aa78adad689d8c

SHA256
c819975c6bec8380709c83f28ec6253e2af67edfecde7b85aa844080dbbc4af1

SHA512
831f2717b4b4db47a23593799ac05fe4d4ec9d97683ffc9e226eab4185b298a5d345e63dd31efec47eeedbb61317945f22b2e9da0326f400bb85d000154a8b55

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
3c420b5062131cb02380a9693c2b6af5

SHA1
5d65c3c446db475bba0f568b56341ba530a83a2f

SHA256
26181166ed2705e8bb7a3ad742f0e3cac47351edc5e806e0ad7e7a9e4014f4a6

SHA512
e9e69310ed12c8d89c19e1a955f3565c44f6a981046f2a76c9b0b560484b72a3534a1f61c7908e489f9998d1371c0ede6a2e7d67c9b8d5124715c6e0ae4fe6c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
4KB

MD5
6e8c464886ac33d175fdbc0056c62cfb

SHA1
db5009283e341f462c58f2a7982e197801c1f77c

SHA256
0287dae47033c0732d3290b9b3693cdf98956eac712768a97889f15145bdbf75

SHA512
cbc521e2f3112aa361a2b9031593c37b982b07a37362d04521f336b1518013bfbec05469ad37a84014d5b31c6d61ebcee0d0c7a5ce1a8c0b4976e4d2502270e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF

Filesize
25KB

MD5
430c8fbb32b0a5ff5ce49592f1589472

SHA1
b479375be6751e073fc13d0ba92ca397fcf3038b

SHA256
c7022d66e7ffda84b01d3a0e80779a1f5d5e0e735c9c76319ae1a7d87db2c07f

SHA512
6525fa7dbb1acedf22c7f4351cf9061d5cff75028b57556367dda5e34fb0d5c5a4562ef70efc61d048625ef2d9e121801576e6e4b00c3dfb7997346cb65131f6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
1KB

MD5
da7fe6465854bc86a28804e09a9a62d9

SHA1
87a3dc30e0c89c245c85d5a9c536ff383747c4cc

SHA256
6e02f798c06baefcaf81c5804690387c6be55873069f5ccc30e9bcd22c0d8dcb

SHA512
dc7061eb71d6a2ddf6ad93fe58950975905baee5b5aaa990768f9fd846a377bde8a2977b06f37c4981221b2cfd05b6aab3205e5872a5d72e5b4c34426fe0476a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
5b81ca2e8df01c20138b8fa028ba2802

SHA1
e7ffb234ce14c687e38d9bf0dca1794ab788d6d1

SHA256
f9bad65840b61f5e361355054a2e79acd89fd591b743b37968e24695f1d90734

SHA512
2880af1c3d70c4faf31cb09f9840963efbab023e1f6c264dad0bce0417fe42da12cca5d1235ff1462e9d827a0c7c085c0080659028aa1f0275eca8b494997ff0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
4a45aac565747fa5c398f22ae161f8fc

SHA1
b1749e664997abe5b19589020efba08a4ab087eb

SHA256
ab5e49e3bd78979010cf4d2180ecf452512852578f225154086b11b8128fe743

SHA512
5877695c88be65a6d3dbec7d58e52c7f0b128d76e93efcd19fe210a10b628bf8a3eeacf5d968daa426c83fb5786a43616b49c5ca886b2872c40a1eb01c2796a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
4KB

MD5
6a5147a463d9bacc0bfae1ff387ae813

SHA1
facd416911e0619109917c23c38330839250ca9b

SHA256
6e79e8628e4418c65946af5417f30c2133d5d4d0287731d45671b73d29f3ff1d

SHA512
b464926397db442c753a6fd1b1649c43976ca63d393ea46deaad979dd2be5e66a03aee5f3eeed816cf75fe81d7e6c1bc80cc73dbc456bd0346723e3891b4de71

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif

Filesize
7KB

MD5
7973fafd034f75da62876945bd0e5696

SHA1
83f4744656fea021861d169d8a0b8a50e9fad939

SHA256
31add430eb4f29dd0d0d0e53b635607b88ab33c3351f0f6d4e32cb58b92320d4

SHA512
07d4c6e6af7ca7450e69b2cab3ebd6b3059ec272ca9e8e9a549e2834936922ca44192b4c7e2ad49bdd178ac231ac76760144d99b01adbc4410feaf0dc74c41d8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif

Filesize
32KB

MD5
5c5746e8c2a4ac6fa695b2be978a34bb

SHA1
7785bb856f0563d9cbbdb9c2effcdb5b7b232e25

SHA256
d127785229aaa84b1d5feed3134ce8e6be7c517a92adfcbbca6cc540173664d1

SHA512
386b8570c92e01baab54c7f0c33e2a64fd5e3159e313fa47997e435b20d2b1dae1dfeea47be1cb5e6ef19f9540710df1fb94f2b9731c550ba36984833dfb4ca9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif

Filesize
6KB

MD5
e42d2946c2b044dd8d12ed39cb3d0c15

SHA1
b9dff085d0c33fadb0eb99a458d07a943ac28864

SHA256
a12fb8dc15ca06adbc5db0c391a5cebe14d9ccc693af74e4ebb0ca1d9d8d0a69

SHA512
636f9f3f127004baf0cd0472886f628cd1c8296a921c936fbf12d1701883c64abfc13a929fda442755f38193060469ce6befc70827994502950fb4df45234fd1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
21KB

MD5
58c58137a52dccbf92944d40535e74d5

SHA1
a1acf49c28525369cc7f30e6d927087c10176a61

SHA256
e16287d59cdbe994209a37b724995a5ee44e2206678225b4977f3be9fa550c80

SHA512
69a5351dc912f8fc94b234f9966e238b77bea2ee8cd765ad9336137461364b832ed8584e347f060ba4a539daa159dbe42972da2aa5259e217bf1bdf77c174fe0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif

Filesize
23KB

MD5
ea3f41c869e1d713b7433ed149915cce

SHA1
fc3a1519a8da17a47737e905b4286c59b76f71cf

SHA256
c52d0c96bc21773b14e1f82691e676b5a2f69a4ad11a8596fcd6314660bed7cd

SHA512
eba6611787b9c89e7bcb58fe1aec9d3954cd2d340380a292cad9f8262af5e1c209b47aff15d59c2b4e89e0cad85467f590dea9980244bd5f1fd31f9a881afce9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif

Filesize
1KB

MD5
f116b722fa8267090211824c133d9336

SHA1
f5c66862cbe8dcdef8223fd65ff3d6615ed5e0f9

SHA256
b4a4f02eb55881a0c2d38a720245c08595e1111ae70efd3b2b34c5e74ccde370

SHA512
74119a1d8236d0f9f540a8485ff0ac582cf218bebf227a1756cfbee6f9ff2a71446f106dd43d6c4639bd3e957f8a832c42b5eaf9c547428370a618eb73ab2d9a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif

Filesize
9KB

MD5
afc10a2e0aaf68cd616d3e616ce62c51

SHA1
d6c64ddf8e0158202120623a2b532fe99600d820

SHA256
ff1c8a20400e8d8acdbc471a06ab708c67782433a64f14269a6e004bc09a5538

SHA512
ecb0e34174b2f261bf252ebd5140cdfb6c4f10ab5bf2f115871236d3fcd3869da2ea6507a64f2a76ec08291376fb3672d4539baf5646d72c5743ded20949316d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif

Filesize
16KB

MD5
9f937aeeee3fd145eea68158d25b8da1

SHA1
cd55c639a41f2be48762ef4a0987cdf3a957d465

SHA256
10f3869a75b6aae94fbe85f30d94dd2ea4aa25642ad66d42be33841ab5fccb2d

SHA512
543b4ebacd29b476b766216079082bff4170a3034466a55cb9c737a36df12da2741ae094ca41c87f7543bc639700399d23bef604414ab8d3b73d9d70a8cbef06

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Premium.gif

Filesize
7KB

MD5
e68fad9775be44a8b6ed390a6e543697

SHA1
bc897b4f85c2293c28e7d4419b4db11164ef03bd

SHA256
7feb8a460abb623f9d88acfb59dbca4f915a333ec20a1eab4055b52765c25b87

SHA512
adb99a09cb01d07eb18b90b01bd58af931cbfa05ba896f4014850ee8a7780cc3fe22a7aae67e769d863f416f9eec4cee66dc27283cbcf18c18ab9b16045138cd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif

Filesize
21KB

MD5
91f5844b0628fd3e1d0e5eb256ef7090

SHA1
e9fc69b6321af3684e5d6bd7f7c5170f3d6becf2

SHA256
eb4d4c2313d2730b831a230c4ad09280d93689c17132fe425bc8f857dbcd84e2

SHA512
9215bb39062de9bc68e747b77e17c4685930967b4247fb09f320e1d9c5f027a61e38996a4876d35205b834a86f5092f53794ea055867c3d14f0d4f1b71fe8be0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif

Filesize
7KB

MD5
ac1a85e3a55d7f9561b397c214a7de45

SHA1
9a83163431be1d3936cd310160e101fc6b88a670

SHA256
0122511eb4d6fa8aaf1a503cf21887155280d826fe6b094ad188c7f5fba93e20

SHA512
998941ae472ad3795f6695724baed33ce5db2aef9612a05885dbf36fec65d7e755bcadb3bfcb82daebc6eeb7c4a2bb3c22464bdd95433fcb34e6338698183ea5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif

Filesize
16KB

MD5
bf766ef4314acc48cddca73b35c6775b

SHA1
4154d46f338c77b3d08761a39f09ff7c9e826fdd

SHA256
708856b2fc97ef1e6da912ac2a65290ea604f546b502c48a96b28e2f3e54d4a0

SHA512
132d9639e64b21b6d91f91bfbc42e9e739e398c5f01dac6485093ca658a9e86dfc80da3cdae8bb32607185d69d76bdbc95f11e3d4ec7fdad0acf393e144eea2e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
e8e886dc1f39136178d74845c1b43f05

SHA1
9a4fe34a0dcc61392117d681d1f5f8f6f2a99c67

SHA256
e81ec221ca81226e9f02ce432c7e908b4e1718bfb9ca6784732f4df150ebaa02

SHA512
41e599e1e3b17276f0fb60b57caab806c763849198af692343ca084a224dfe6e840d832740fd7e858776d0702edcdc7f9e054ebb45892d708b80b227ac795cc1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML

Filesize
2KB

MD5
369cc9e98080f66d9bd3015318c32b8f

SHA1
b5b68722889921a59b2c507157eb0650e1bbc998

SHA256
3c08ec36868de9546afb6123ec599a2ee56a7a296812a4ac8b52f2fe2de42d8a

SHA512
dc35f26c1cbc0f3d79aa05b19a9bad77978decf0f65e09d2624960653e2ff57da9c8dee137efc7607e528822cb6fb0c1d163aeb88703e7b44cf8cbee022e261d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML

Filesize
2KB

MD5
d2cb3a5e97213f4684c30525c722e1b9

SHA1
8e4ae9363e525142339443802e74acd8f7b229a0

SHA256
808d792c864fa5db675660cfb25f71a40600015d38cb00b76044f36ff578bdc0

SHA512
246af9468b26578f2b147b8a7d37d3b140a54762df745565e79bc6ede1b1c7a64a6283c04e0b6235e69634edec49c9c693834ae30e638dadd03f8ce66dee5d9b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\ij

Filesize
7KB

MD5
d60722e7f6a8b256d3ca00b2586bfb8d

SHA1
4b16c3841a931c0b5ec06f3e8e21d82a94552447

SHA256
574be12f950ee398cacdf10a438d3f1275c7b3c4e7fa036377fa2c65396fa1a6

SHA512
82f73f92743f0ce570105eee29233fa07f44a3c699f63903ebe30d6e33720c13bbf1b828b5d5c908f8201416efd9c3f36bed8e8bec23e7342bf0729f0ff6cb53

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
56b7edce11949fd9c1f187922b0b538d

SHA1
40c5dfa1fdee9c6a8c8000e0b3a1c9d08ae1aa0d

SHA256
e558c94d60b4b7cbfc0b9c806729c9ba8d95da57b5fed506c866ba78275b908c

SHA512
912ca9ca2e6db9b521eca2535563a591cd9fc9d76a73d782a9def95efd67fb0315fe9431806e276ce87191c6605d60f87352622fdcb2144f2fbd5ae5b4e4deaf

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
579c9801643298c9cc8b13b717fe5458

SHA1
85758c704d80ae864006ac8e6e1bf614ce644da2

SHA256
9d7dcd12e0b2abf3f88ebc35b6955c16a5a5dadad36df0e835a22d7ee34d1d9f

SHA512
c29efe28d898bdda65317e5c86b3740ecb31dbfbf313d1e1d7e0ea5c0a32e1312065573c6a848dda11dace91e5e6e26d1d4bde10bdda6e7ec46619671d976cc5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
223ee2a3361caf05d88c0d73b2d2052e

SHA1
7c33de6299475956f06556d6a986cb8f5ae52a74

SHA256
65d3e4493163a76f135026d08ed6596da129106919a1fa9a4ab54e1520a56f75

SHA512
ff545b88bc0f70c94512bf4e9dc696f7d8edffbb8fd2decb1deeae8a7c5a37ff5c5c0d7a7d431c6b44d25ae64b4d6a2dc1ae2d727fa862bd14f4a60cf8a812b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
02e3bef1680978b602c57b7896b34b2a

SHA1
cea6db66298d2ec89b7c7ab6228f4af92bc22760

SHA256
d6f54ada700061c31f6d2dfc8422f14c9d19a18046baf9ef721fe10da688b6d8

SHA512
5d8d5fd89e12b6661914a0af6e18315762e140098914de08b8ea4ad88e31789ebcc32ddff09127ae41ab3655f637298d1b4275371323b49bd6f7ba743396807a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
30c67c3fed14a53ca53e68f0871b46c1

SHA1
32c01ed5e8673b2bc1d7be7b7f8c90556be84094

SHA256
0779c5a828cb7d361fbfacf5a912124a04592f36de519f0fee5c8df45b64e18e

SHA512
a7d87b3467c50361a00392d33e3464e343481f9c966e7d080b7b130f72b3736cabfdfbc89445d835b6fdd4b978327e60aa9e80a27c675908da27de0b0bfd6fa2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
3481a9ffc4302e0d59906e1c12e65331

SHA1
4c057314ef54fe0610a1f9117d94bfe349d46f11

SHA256
3b469a44e3d4a06410855443943f2f28534ef9b96deb0241f20576240419102d

SHA512
027faf6931f33c3bcae4f0a0b6b80332712c20c25844d799e0665496c9bb9c404a8c884fcf22fb8ca2e168b0b5822c1528040d33792bf21b2925bdcffea61e74

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
46076380311425e42de8dd4677d39766

SHA1
4166d2f88a75e54ba4b3220ed6d97cac126a2ffc

SHA256
f5c09d598cbc1f492c489f54a75fe4fe2bb31cca4340a8d83b64568697abadd0

SHA512
b04a3513dba627656613f475b29e07759ddfb853154f23bb7154342167fcb52f56488a3a9d28ac85b41aff1e3b1e1ff54741b2db51c0c4c50d2b47a050b61122

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
6b321a56e5fefef3cb68e8ea800e9329

SHA1
cc7da1687f7d5eae030d70d3c3a3846d599fb0fe

SHA256
135888aef95df3bcafef4b59a5a134578402d6b90298219a04d097e9f4300afb

SHA512
2aef39b98e39b15415c2f5751b11cc8a741fda56febc84c65459187b5070e06782e54501bb0496c75348592f780594ad215d9d53d8f9836ddb85a395c7c29854

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
e1d7007bbf06573cf4012d78b27a9ca1

SHA1
322de97a2a640864617099c25d237047ce340b1d

SHA256
2837758afde4e4e5714f56fd18d66982c213eeb9b37b640310fca2cc12cf766a

SHA512
80aaa696c5440f8529ebf2b0cb321f4d0713705bdc2523c30feb82ba016d2e2f0be90bb4ebb426690e77f0218242cf4136a6f4e1ef209b4baf8c8b39fc7e695a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
d0606de97d438b18f4b5b1feb720d9f7

SHA1
bf7477843399ddeb405a81b74604dd039cf4a4a6

SHA256
9d0990f1a4db6a6293144cf6b022d7192a9c713bfa6a591f2a00ea4dd76f193b

SHA512
f89c11a707f001e94531a3ecd88e950c5670dd32ec4ae33f6b5f7a8bddc6735625fb92aaa61c073782765bf2a8fefd1b5c242e00ddd313285c144ebced471a65

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
77d54446bc5dc67a68dd79f2567445cc

SHA1
8c6aa013e49c8d461b366ed23f0988be2ca2be45

SHA256
aa06ee94cde0f22ae474b7504fe6f6ce19d2f6ac7057aee25385c755317f48af

SHA512
cf50111519573629b27c3840c385ed6977ae86b0214110858d0e879afb539a65921bc8a725832b5ec93efc6c57416565f5105bdf127dbbfae5b67e1a12d70a1e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
1KB

MD5
c8143235e21fee9e08049306c41a73f5

SHA1
a4a6c2f3bb480abf1ff4cbc22e6038f0eeef7727

SHA256
370f4f19f5683f09569b1e6a8e690f45bdd8be2a018f8394351febc2c6335dc3

SHA512
d1ead51403fa074df38323169a93aec1c4edd3a8cac9b4b4298c6edec75819261b2db4f18441acacf6c505fb6ee48b9cb5b501fffd24420291e86bbbd79d2f09

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden

Filesize
1KB

MD5
55f39ad863a613e9747ff36765a25eea

SHA1
dda21bc722a3e62d002348aa37be0182d0420338

SHA256
9ddf0af9b0852e72eb842297f4c549c07d95d10c8a546098281bb4fe1e4a2601

SHA512
c0912e79daad5b5fe1ef16e1bb0389ea72e0e3ac06e02262af403ec85b68ecbed8a370b725e4a112f9729e0258a18dd59387ab1319cd6614f1534adcd51af5f9

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
abde29eb0b55636aa146e16437632dab

SHA1
d0019df366f6e120eba0fb99ed51fd0bf07ffe91

SHA256
cd9a4dda1b07b8cd154cd088c68aeec1f6554963fc8706b1285e5f812141b711

SHA512
90e2f171b18a6278b66a15ea827f4c8e5ce9b78e6c8151ff6724ebedb04e3024170885a743946c604ac2443b23c9d088df56fb05c69eea0032bab5f1fb73f40f

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
01f489aaa3855e3b0eda665b9aec7163

SHA1
2d198ab23b81a939be928430399a749cd6215ec4

SHA256
f6e4ddbe226b267db076f57b4e9925a30bd9b4c60d227f69753091298b998d61

SHA512
3c2debd390bf392a1ba65b474a5d6e22d2a97f4d56497926f2abb0a7c8045e25f371f89d214fecc2179d89fb0a02be3e05d2456a318b9ba0a23fc0b2cbed160e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
9931374e43013823e08a0d4c9d06af42

SHA1
fed94749ce18feecbf11b8d7a794877dd5353a6c

SHA256
f93768bece1c6b903fcb6a063950c2ab5ec057acbf6e2830205ab1e3782aaed5

SHA512
0acb03da61daf95cb98055ff6962c9ffb1305930720e5010503a6c819b3f9c6bd2d880d35ef74c353c1b8ed34c934ad638b7395060a776d016fcce30e4fe7a2a

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
f60dffb87c8999105cd8f6e5e22f9d5b

SHA1
a2005a69082c8eb7cf4bec571d79df253714ff76

SHA256
6a90d0e61dbbb290a5b892d6ec74dd559aa3b10c34443fb75ceb45b31d5f54ca

SHA512
bd0e31cbc62512ff7b71c80aab0c9069cb267f728e40a903a5b4381b623eebf629334e47f1bfbcfe2d23a7531a9cb86fcbc52a30e18d2ac1f80d30903ef34529

Download Submit
C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
4ee5481a65d331da1e95afef96108eec

SHA1
5c186fee8e8b525ff14b5c162cb293e228411f60

SHA256
6d105c24e1a7ff2cccd9b47dcdd790c66b6470689315292f717d9d2f7dc239cc

SHA512
bc3fa4201b5b65382e58e35dfba7e55562132f4e72dcbf43a73358e936da36830ea10c8270440dcfd7854e267c41fee89852fb7318df51aa0fb6805f2f48c774

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
5933f674ee213e51e520acff8dea31da

SHA1
fa21f12e61c3838cc6b4b9e89a79bf3b41f9925c

SHA256
023b515d069514b34598de8b9eddb3bb991135f754368f740767081054ec9541

SHA512
723ed17462a49f2486debb64611f67ccda868c41de0748bed40ae763a2bf117832382aed69f95d25a0685c2224b7f3a3c764c28088e823e4a42de9d4939c8b01

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
1KB

MD5
acef32ebf89580b6c4f03e5ef06cee55

SHA1
1b0a87f12f145b0e83ee230bd0fbb326f9796244

SHA256
34997c5dd1ae647cf90f284b11059821482784591d841bfebb24fde76d4279d4

SHA512
f73619da28e49e6b96dd2dd4d8b99537b0b2bfe9b0212ea47857102fb7e346a894d831769fbf9fe261b273c038745243a16154db2b04f28ee5f4576c21a85349

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
8171728e9af454a63cbcd9500bf088bf

SHA1
a9027913d9cbae6cf89ba1da56321077e49223c3

SHA256
741f1eafb5b46c4be378c754b2495167a04757a0eb19835846a0d80f4215b1f7

SHA512
530824e9c81541002b654539a1e761bef7f87b17dbe0fd0cef880efaddb83448f4f833d4a711ceaf3e383ff259ef4bfb8e3305e0e4fdf509f1ebbba33577e50b

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
e05eb2617cb43b11467194fac09c7d82

SHA1
dc50a9dc8ef5a4e912ddb14d3ae844bc184ad73f

SHA256
db4d65882d48c5ae6331c4098c82200a40c86d0f84915514f5feca6133f0dc6f

SHA512
e1bf952cc647c6ab7772d3ffd01bf1a32204688621be8db759e098b87a906f2d8fe96d55c6c738b960255beef7f206e62bdcfbc6adcc65757d2ba1b650e60e4a

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
181KB

MD5
7998385d6982a399302f631be768fd29

SHA1
a79e4605bfb35ff8915197ff93f2d182465522a9

SHA256
e85282461ee57fdad4ee669a3fee14e4f3f6697c29f7bc31f401a2b02fdc3ee6

SHA512
06ebd1fa76866e2fec2c73f3d94a47d8b017b74e6257c465468d338bff3f63d5ca4ae01b22c30d95a0fa443a78308bc32951c85095f00ccfb4dd52c4c2b99c46

Download Submit